Web Application Security Testing
With business increasingly relying on web applications as business interfaces there is been an increase in cyber attacks multi fold and web application security testing has gained prominence. Our Web Application Security Testing course takes testers hands on from the fundamental of web security testing to the advanced offensive web security testing techniques
822 Ratings
★★★★★ 5/5
Enquiry Now
300 +
Students Empowered
4.5/5
Best Selling Program
Format
Instructor-Led
online Program
Start Date
Instructor-Led
program on
Feb 26-27, 2022
About the Course
In this 2- day practical Web Application security Testing course, you will learn
- Foundations of Web
- Foundations of Security
- Under the Hood – Understanding HTTP
- Foundations of Web Security
- Survey the Territory
- Top Vulnerabilities
- Hands-On and Brainstorming Exercises
- HTML
- Using Browser Plugins
- Encoding and Decoding
- Parameter Tampering
- Breaking Authentication
- Breaking Access Flaws
- Breaking Session Management
- SQL Injection
- Cross-Site Scripting (XSS)
Course Outline
Day 1
1. Foundations of Web
- The Changing Face of the Web
- How It Was
- How It is Now
- Why Web technologies became so popular
- A high level view of Browsers, HTML, JavaScript, XML etc.
2. Foundations of Security
- Where are the security issues in a software
- Basics of Encoding and Encryption
- Security Attributes with Examples – Authentication, Authorization, Confidentiality, Integrity, Non-Repudiation/Accountability, Availability
- Understanding basic web user operations w.r.t. security attributes
- What is the goal of security attacks
- Why the attacks on the Web have become popular
- All Input is Malicious
- Change of Context – Data to Code
3. Under the Hood - Understanding HTTP
- Introduction to HTTP
- Introduction to Web Proxies
- How does a Web Proxy Work
- How to use a Web Proxy using Browser Options and Plugins
- HTTP Request Format
- HTTP Response Format
- HTTP Methods
- HTTP Status Codes
- HTTP Headers
- The key differences between a GET and POST
- Converting a GET into POST and vice versa
- HTTP is stateless
- Session Management
- Session Tokens versus Session
- Cookies
- Hidden Variables
4. Foundations of Web Security
- Client-side restrictions – HTML / JavaScript
- Cookies from Security Perspective
- Encoding versus Encryption
- Session Management from Security Perspective
- Authentication and Authorization from Security Perspective
- HTML Parameters from Security Perspective
- The Misplaced Trust on Client
- Understanding Web Architecture
5. Survey the Territory
- Mapping an application from security perspective
- Using Browser
- Using Browser and Plugins
- What are the different areas of interest
6. Top Vulnerabilities
- Vulnerability Lists ( Focus on OWASP )
- Injection (Focus on SQL Injection)
- Cross-Site Scripting
- Authentication Flaws
- Session Management Flaws
- Authorization Flaws
- Cross-Site Request Forgery
- Insecure Configuration
- Insecure Storage
- Insecure Transmission
- Redirection Flaws
Day 2
1. Hands-On and Brainstorming Exercises
- The exercises are conducted using local vulnerable apps which have been designed and developed for the purpose.
- No public website is used for the exercises, as that would break the Ethics code.
2. HTML
- Creating Basic HTML Links
- Creating Basic HTML Forms
3. Using Web Proxies
- BurSuite
- Understanding how the request is handled at various stages -> browser, TCP, web server, web framework middle layer, web server ( and then DB server, web service etc. if applicable )
- Converting a GET into a POST request and vice versa
4. Using Browser Plugins
- Proxy Bar, Proxy Button
- FireBug / Web Developer
- Tamper Data
- HackBar
- Groundspeed
- Encoding and Decoding
5. Encoding and Decoding
- URL Encoding
- Base64 Encoding
6. Parameter Tampering
- Hidden Variables
- URLs
- Form Data
7. Breaking Authentication
- Brain-storming on various authentication flaws
- Forgot Password Exercises
8. Breaking Access Flaws
- Naming conventions from security perspective
- Thinking from the development angle
- Finding hidden directories and parameters
- Manipulating Direct Object References
9. Breaking Session Management
- Cookie Manipulation
10. SQL Injection
- Understanding SQL using MySQL Database
- Imagining SQL based on the web application context
- String and Numeric SQL Injection
- Understanding when to use which form
- Understanding attack delivery for bug advocacy
11. Cross-Site Scripting (XSS)
- Retrieving cookies using JavaScript
- Reflected XSS
- Stored XSS
- Understanding Delivery mechanism of XSS (Demonstration)
- Relation to Social Engineering
Testimonials
Coming Soon
Rahul Verma
Chief Technology Officer, Verity Software
About the Instructor
CTO, Verity Software and Founder of Test Mile, Advisor and researcher for SALT – School of Applied Learning in Testing, president of ITB’s Bangalore chapter.
Awarded ‘Thought Leader’ for his contributions to Indian testing community, he has presented and published number of papers at several conferences including GTAC, CONQUEST, TEST2008, Yahoo! India, McAfee and IIT Madras.
Consults, coaches, mentors, conducts workshops and interviews in the areas of software testing, test automation frameworks, agile testing, web security, Python and web performance testing.
Known for his practical and unified view of software testing.
Tools Covered
FAQ’s
This is a 2 full day course which will start at 09:30 AM and end at 05:30 PM on all the 2 days.
No. We do not provide any tools with this course.
No, we do not provide placement.
The maximum batch size is 20 members in one batch.
Yes post training support will be provided, you can contact the trainers for any queries which you may have.
No, coding is not a prerequisite.
We strongly recommend that the participants attend the batch which they have specifically registered for. There can be exceptions in case of emergencies but the difference in fee(if any) will have to be borne by the participant.
No we do not provide refunds upon cancellation.
Yes we can arrange for an in-house batch for your company given there are a minimum of 10 participants per batch.
Trending Courses
Certified
Selenium Engineer
Learn More
Certified
Cloud Testing Practitioner
Learn More
Certified API, REST &
Microservices Tester
Learn More
Certified
Practitioner in Agile Testing
Learn More
Certified
Tester in DevOps
Learn More
Certified
Data & Analytics Tester
Learn More
Web
Application Security Testing
Learn More
Certified
Tester In Artificial Intelligence
Learn MoreEnquiry Now
For further queries contact
Anil
Pinky
